Linux v3.16-rc7-64-g26bcd8b72563
- Temporarily disable aarch64patches
This commit is contained in:
parent
082b8c8ad3
commit
ecaa91af8b
14
kernel.spec
14
kernel.spec
@ -8,7 +8,7 @@ Summary: The Linux kernel
|
|||||||
# be 0.
|
# be 0.
|
||||||
%global released_kernel 0
|
%global released_kernel 0
|
||||||
|
|
||||||
%global aarch64patches 1
|
%global aarch64patches 0
|
||||||
|
|
||||||
# Sign modules on x86. Make sure the config files match this setting if more
|
# Sign modules on x86. Make sure the config files match this setting if more
|
||||||
# architectures are added.
|
# architectures are added.
|
||||||
@ -69,7 +69,7 @@ Summary: The Linux kernel
|
|||||||
# The rc snapshot level
|
# The rc snapshot level
|
||||||
%define rcrev 7
|
%define rcrev 7
|
||||||
# The git snapshot level
|
# The git snapshot level
|
||||||
%define gitrev 1
|
%define gitrev 2
|
||||||
# Set rpm version accordingly
|
# Set rpm version accordingly
|
||||||
%define rpmversion 3.%{upstream_sublevel}.0
|
%define rpmversion 3.%{upstream_sublevel}.0
|
||||||
%endif
|
%endif
|
||||||
@ -649,9 +649,6 @@ Patch25120: crypto-properly-label-AF_ALG-socket.patch
|
|||||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||||
Patch30000: kernel-arm64.patch
|
Patch30000: kernel-arm64.patch
|
||||||
|
|
||||||
#CVE-2014-5077 rhbz 1122982 1123696
|
|
||||||
Patch25124: net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch
|
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -1387,9 +1384,6 @@ ApplyPatch kernel-arm64.patch -R
|
|||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
#CVE-2014-5077 rhbz 1122982 1123696
|
|
||||||
ApplyPatch net-v2-net-sctp-inherit-auth_capable-on-INIT-collisions.patch
|
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2265,6 +2259,10 @@ fi
|
|||||||
# ||----w |
|
# ||----w |
|
||||||
# || ||
|
# || ||
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 30 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.16.0-0.rc7.git2.1
|
||||||
|
- Linux v3.16-rc7-64-g26bcd8b72563
|
||||||
|
- Temporarily disable aarch64patches
|
||||||
|
|
||||||
* Wed Jul 30 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
* Wed Jul 30 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
- Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120)
|
- Apply different patch from Milan Broz to fix LUKS partitions (rhbz 1115120)
|
||||||
|
|
||||||
|
@ -1,212 +0,0 @@
|
|||||||
Bugzilla: 1123696
|
|
||||||
Upstream-status: Queued for 3.16
|
|
||||||
|
|
||||||
From patchwork Tue Jul 22 13:22:45 2014
|
|
||||||
Content-Type: text/plain; charset="utf-8"
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Transfer-Encoding: 7bit
|
|
||||||
Subject: [net,v2] net: sctp: inherit auth_capable on INIT collisions
|
|
||||||
From: Daniel Borkmann <dborkman@redhat.com>
|
|
||||||
X-Patchwork-Id: 372475
|
|
||||||
Message-Id: <1406035365-1154-1-git-send-email-dborkman@redhat.com>
|
|
||||||
To: davem@davemloft.net
|
|
||||||
Cc: jgunthorpe@obsidianresearch.com, netdev@vger.kernel.org,
|
|
||||||
linux-sctp@vger.kernel.org, Vlad Yasevich <vyasevich@gmail.com>
|
|
||||||
Date: Tue, 22 Jul 2014 15:22:45 +0200
|
|
||||||
|
|
||||||
Jason reported an oops caused by SCTP on his ARM machine with
|
|
||||||
SCTP authentication enabled:
|
|
||||||
|
|
||||||
Internal error: Oops: 17 [#1] ARM
|
|
||||||
CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1
|
|
||||||
task: c6eefa40 ti: c6f52000 task.ti: c6f52000
|
|
||||||
PC is at sctp_auth_calculate_hmac+0xc4/0x10c
|
|
||||||
LR is at sg_init_table+0x20/0x38
|
|
||||||
pc : [<c024bb80>] lr : [<c00f32dc>] psr: 40000013
|
|
||||||
sp : c6f538e8 ip : 00000000 fp : c6f53924
|
|
||||||
r10: c6f50d80 r9 : 00000000 r8 : 00010000
|
|
||||||
r7 : 00000000 r6 : c7be4000 r5 : 00000000 r4 : c6f56254
|
|
||||||
r3 : c00c8170 r2 : 00000001 r1 : 00000008 r0 : c6f1e660
|
|
||||||
Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
|
|
||||||
Control: 0005397f Table: 06f28000 DAC: 00000015
|
|
||||||
Process sctp-test (pid: 104, stack limit = 0xc6f521c0)
|
|
||||||
Stack: (0xc6f538e8 to 0xc6f54000)
|
|
||||||
[...]
|
|
||||||
Backtrace:
|
|
||||||
[<c024babc>] (sctp_auth_calculate_hmac+0x0/0x10c) from [<c0249af8>] (sctp_packet_transmit+0x33c/0x5c8)
|
|
||||||
[<c02497bc>] (sctp_packet_transmit+0x0/0x5c8) from [<c023e96c>] (sctp_outq_flush+0x7fc/0x844)
|
|
||||||
[<c023e170>] (sctp_outq_flush+0x0/0x844) from [<c023ef78>] (sctp_outq_uncork+0x24/0x28)
|
|
||||||
[<c023ef54>] (sctp_outq_uncork+0x0/0x28) from [<c0234364>] (sctp_side_effects+0x1134/0x1220)
|
|
||||||
[<c0233230>] (sctp_side_effects+0x0/0x1220) from [<c02330b0>] (sctp_do_sm+0xac/0xd4)
|
|
||||||
[<c0233004>] (sctp_do_sm+0x0/0xd4) from [<c023675c>] (sctp_assoc_bh_rcv+0x118/0x160)
|
|
||||||
[<c0236644>] (sctp_assoc_bh_rcv+0x0/0x160) from [<c023d5bc>] (sctp_inq_push+0x6c/0x74)
|
|
||||||
[<c023d550>] (sctp_inq_push+0x0/0x74) from [<c024a6b0>] (sctp_rcv+0x7d8/0x888)
|
|
||||||
|
|
||||||
While we already had various kind of bugs in that area
|
|
||||||
ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if
|
|
||||||
we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache
|
|
||||||
auth_enable per endpoint"), this one is a bit of a different
|
|
||||||
kind.
|
|
||||||
|
|
||||||
Giving a bit more background on why SCTP authentication is
|
|
||||||
needed can be found in RFC4895:
|
|
||||||
|
|
||||||
SCTP uses 32-bit verification tags to protect itself against
|
|
||||||
blind attackers. These values are not changed during the
|
|
||||||
lifetime of an SCTP association.
|
|
||||||
|
|
||||||
Looking at new SCTP extensions, there is the need to have a
|
|
||||||
method of proving that an SCTP chunk(s) was really sent by
|
|
||||||
the original peer that started the association and not by a
|
|
||||||
malicious attacker.
|
|
||||||
|
|
||||||
To cause this bug, we're triggering an INIT collision between
|
|
||||||
peers; normal SCTP handshake where both sides intent to
|
|
||||||
authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO
|
|
||||||
parameters that are being negotiated among peers:
|
|
||||||
|
|
||||||
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
|
|
||||||
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
|
|
||||||
-------------------- COOKIE-ECHO -------------------->
|
|
||||||
<-------------------- COOKIE-ACK ---------------------
|
|
||||||
|
|
||||||
RFC4895 says that each endpoint therefore knows its own random
|
|
||||||
number and the peer's random number *after* the association
|
|
||||||
has been established. The local and peer's random number along
|
|
||||||
with the shared key are then part of the secret used for
|
|
||||||
calculating the HMAC in the AUTH chunk.
|
|
||||||
|
|
||||||
Now, in our scenario, we have 2 threads with 1 non-blocking
|
|
||||||
SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY
|
|
||||||
and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling
|
|
||||||
sctp_bindx(3), listen(2) and connect(2) against each other,
|
|
||||||
thus the handshake looks similar to this, e.g.:
|
|
||||||
|
|
||||||
---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ---------->
|
|
||||||
<------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
|
|
||||||
<--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] -----------
|
|
||||||
-------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] -------->
|
|
||||||
...
|
|
||||||
|
|
||||||
Since such collisions can also happen with verification tags,
|
|
||||||
the RFC4895 for AUTH rather vaguely says under section 6.1:
|
|
||||||
|
|
||||||
In case of INIT collision, the rules governing the handling
|
|
||||||
of this Random Number follow the same pattern as those for
|
|
||||||
the Verification Tag, as explained in Section 5.2.4 of
|
|
||||||
RFC 2960 [5]. Therefore, each endpoint knows its own Random
|
|
||||||
Number and the peer's Random Number after the association
|
|
||||||
has been established.
|
|
||||||
|
|
||||||
In RFC2960, section 5.2.4, we're eventually hitting Action B:
|
|
||||||
|
|
||||||
B) In this case, both sides may be attempting to start an
|
|
||||||
association at about the same time but the peer endpoint
|
|
||||||
started its INIT after responding to the local endpoint's
|
|
||||||
INIT. Thus it may have picked a new Verification Tag not
|
|
||||||
being aware of the previous Tag it had sent this endpoint.
|
|
||||||
The endpoint should stay in or enter the ESTABLISHED
|
|
||||||
state but it MUST update its peer's Verification Tag from
|
|
||||||
the State Cookie, stop any init or cookie timers that may
|
|
||||||
running and send a COOKIE ACK.
|
|
||||||
|
|
||||||
In other words, the handling of the Random parameter is the
|
|
||||||
same as behavior for the Verification Tag as described in
|
|
||||||
Action B of section 5.2.4.
|
|
||||||
|
|
||||||
Looking at the code, we exactly hit the sctp_sf_do_dupcook_b()
|
|
||||||
case which triggers an SCTP_CMD_UPDATE_ASSOC command to the
|
|
||||||
side effect interpreter, and in fact it properly copies over
|
|
||||||
peer_{random, hmacs, chunks} parameters from the newly created
|
|
||||||
association to update the existing one.
|
|
||||||
|
|
||||||
Also, the old asoc_shared_key is being released and based on
|
|
||||||
the new params, sctp_auth_asoc_init_active_key() updated.
|
|
||||||
However, the issue observed in this case is that the previous
|
|
||||||
asoc->peer.auth_capable was 0, and has *not* been updated, so
|
|
||||||
that instead of creating a new secret, we're doing an early
|
|
||||||
return from the function sctp_auth_asoc_init_active_key()
|
|
||||||
leaving asoc->asoc_shared_key as NULL. However, we now have to
|
|
||||||
authenticate chunks from the updated chunk list (e.g. COOKIE-ACK).
|
|
||||||
|
|
||||||
That in fact causes the server side when responding with ...
|
|
||||||
|
|
||||||
<------------------ AUTH; COOKIE-ACK -----------------
|
|
||||||
|
|
||||||
... to trigger a NULL pointer dereference, since in
|
|
||||||
sctp_packet_transmit(), it discovers that an AUTH chunk is
|
|
||||||
being queued for xmit, and thus it calls sctp_auth_calculate_hmac().
|
|
||||||
|
|
||||||
Since the asoc->active_key_id is still inherited from the
|
|
||||||
endpoint, and the same as encoded into the chunk, it uses
|
|
||||||
asoc->asoc_shared_key, which is still NULL, as an asoc_key
|
|
||||||
and dereferences it in ...
|
|
||||||
|
|
||||||
crypto_hash_setkey(desc.tfm, &asoc_key->data[0], asoc_key->len)
|
|
||||||
|
|
||||||
... causing an oops. All this happens because sctp_make_cookie_ack()
|
|
||||||
called with the *new* association has the peer.auth_capable=1
|
|
||||||
and therefore marks the chunk with auth=1 after checking
|
|
||||||
sctp_auth_send_cid(), but it is *actually* sent later on over
|
|
||||||
the then *updated* association's transport that didn't initialize
|
|
||||||
its shared key due to peer.auth_capable=0. Since control chunks
|
|
||||||
in that case are not sent by the temporary association which
|
|
||||||
are scheduled for deletion, they are issued for xmit via
|
|
||||||
SCTP_CMD_REPLY in the interpreter with the context of the
|
|
||||||
*updated* association. peer.auth_capable was 0 in the updated
|
|
||||||
association (which went from COOKIE_WAIT into ESTABLISHED state),
|
|
||||||
since all previous processing that performed sctp_process_init()
|
|
||||||
was being done on temporary associations, that we eventually
|
|
||||||
throw away each time.
|
|
||||||
|
|
||||||
The correct fix is to update to the new peer.auth_capable
|
|
||||||
value as well in the collision case via sctp_assoc_update(),
|
|
||||||
so that in case the collision migrated from 0 -> 1,
|
|
||||||
sctp_auth_asoc_init_active_key() can properly recalculate
|
|
||||||
the secret. This therefore fixes the observed server panic.
|
|
||||||
|
|
||||||
Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
|
|
||||||
Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
|
|
||||||
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
|
|
||||||
Tested-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
|
|
||||||
Cc: Vlad Yasevich <vyasevich@gmail.com>
|
|
||||||
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
|
|
||||||
---
|
|
||||||
v1 -> v2, more notes:
|
|
||||||
|
|
||||||
I've only updated the commit description for now, this bug seems
|
|
||||||
clear to me that we would need to fix it; since RFC4895 mentions
|
|
||||||
it explicitly that on collisions, we need to *update* these params
|
|
||||||
accordingly as we would do so in RFC2960. So in other words, this
|
|
||||||
can be explained by having an *inconsistency* when doing the update
|
|
||||||
as auth_capable is *tightly coupled* with peer_random, peer_chunks,
|
|
||||||
peer_hmacs and eventually the asoc_shared_key creation.
|
|
||||||
|
|
||||||
For the rest, I went through the code and currently could not
|
|
||||||
find where we could oops if we don't have the others for now. It
|
|
||||||
needs more time and testing however. It's also not too clear from
|
|
||||||
RFC2960/RFC4960 what needs to be carried over in addition: so we
|
|
||||||
know "The endpoint should stay in or enter the ESTABLISHED state
|
|
||||||
but it MUST update its peer's Verification Tag from the State
|
|
||||||
Cookie, stop any init or cookie timers that may running and send
|
|
||||||
a COOKIE ACK." and we know that we need to update all AUTH related
|
|
||||||
members, which we do *now*.
|
|
||||||
|
|
||||||
In addition, we also need to fix AUTH + COOKIE_ECHO collisions,
|
|
||||||
as they currently cannot be resolved properly into a handshake.
|
|
||||||
|
|
||||||
net/sctp/associola.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
|
|
||||||
index 9de23a2..06a9ee6 100644
|
|
||||||
--- a/net/sctp/associola.c
|
|
||||||
+++ b/net/sctp/associola.c
|
|
||||||
@@ -1097,6 +1097,7 @@ void sctp_assoc_update(struct sctp_association *asoc,
|
|
||||||
asoc->c = new->c;
|
|
||||||
asoc->peer.rwnd = new->peer.rwnd;
|
|
||||||
asoc->peer.sack_needed = new->peer.sack_needed;
|
|
||||||
+ asoc->peer.auth_capable = new->peer.auth_capable;
|
|
||||||
asoc->peer.i = new->peer.i;
|
|
||||||
sctp_tsnmap_init(&asoc->peer.tsn_map, SCTP_TSN_MAP_INITIAL,
|
|
||||||
asoc->peer.i.initial_tsn, GFP_ATOMIC);
|
|
2
sources
2
sources
@ -1,4 +1,4 @@
|
|||||||
97ca1625bb40368dc41b9a7971549071 linux-3.15.tar.xz
|
97ca1625bb40368dc41b9a7971549071 linux-3.15.tar.xz
|
||||||
ef8f4db937f521a7e323ec589536ba25 perf-man-3.15.tar.gz
|
ef8f4db937f521a7e323ec589536ba25 perf-man-3.15.tar.gz
|
||||||
cf68262d938c6ec27bc96896beb8549f patch-3.16-rc7.xz
|
cf68262d938c6ec27bc96896beb8549f patch-3.16-rc7.xz
|
||||||
d15747e3ab3760b07aaae1077ddeceed patch-3.16-rc7-git1.xz
|
3627dd3a3efad454c49e422f16dc3d44 patch-3.16-rc7-git2.xz
|
||||||
|
Loading…
Reference in New Issue
Block a user